[Openswan Users] Using Openswan 2.4.0 with a Watchguard Firebox II

Paul Overton paul at trusted-management.com
Tue Jan 17 23:23:14 CET 2006


Jason,
 
Have you had a luck with getting Openswan to work with  Watchguard Firebox
II yet?
 
I did this approx 2 years ago!! and so far as I am aware the formula should
still work.
 
Which version of Firebox software are you using ? You will need at least
version 5.
 
I have never used Aggressive mode, but have chosen to use PSK with LAN to
LAN networks. 
 

--
Paul Overton



  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Jason Green
Sent: 16 January 2006 22:55
To: users at openswan.org
Subject: [Openswan Users] Using Openswan 2.4.0 with a Watchguard Firebox II


I'm running Openswan U2.4.0/K2.6.12-10-amd64-generic on Ubuntu Breezy and
trying to connect to a Watchguard Firebox II with no success.  I have full
access to the router and can make whatever changes are necessary.  The old
Interoperating wiki for Watchguard seems quite out of date, since many of
the options on the original mailing post are no longer valid.  One caveat...
I'm running this on my Linux box which is behind my Zyxel Firewall.  The
Zywall has an option to forward IPSEC requests for VPNs.  This works fine
using the Watchguard Windows client MUVPN, but I'm trying to avoid running
Windows.


Here's the error lists that I get on my Watchguard System Manager:

>From <my remote ip> AG-HDR  ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID
Proposal is unacceptable: mess_id=0
Sending NO_PROPOSAL_CHOSEN message
Error processing (sa)
Agresssive Mode processing failed
Header invalid (unable to verify, msg = ISA_SA)

following by "Skipping duplicate packet from <my remote ip>"


And, here is the error I get from running "ipsec auto --up my_connection":
003 "my_connection" #1: multiple transforms were set in aggressive mode.
Only first one used.
003 "my_connection" #1: transform (5,2,2,0) ignored.
003 "my_connection" #1: multiple transforms were set in aggressive mode.
Only first one used.
003 "my_connection" #1: transform (5,2,2,0) ignored.
112 "my_connection" #1: STATE_AGGR_I1: initiate
010 "my_connection" #1: STATE_AGGR_I1: retransmission; will wait 20s for
response


Here's my ipsec.conf file:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes

# Add connections here
conn my_connection
        type=tunnel
        keyingtries=0
        authby=secret
        left= <http://192.168.1.34> MailScanner has detected a possible
fraud attempt from "192.168.1.34" claiming to be MailScanner has detected a
possible fraud attempt from "192.168.1.34" claiming to be MailScanner
warning: numerical links are often malicious: 192.168.1.34
(that is my IP behind my firewall)
        leftnexthop=%defaultroute
        leftid=jave27 at gmail.com
        right=<my_server_ip>
        rightsubnet= <http://192.168.0.0/24> MailScanner has detected a
possible fraud attempt from "192.168.0.0" claiming to be MailScanner has
detected a possible fraud attempt from "192.168.0.0" claiming to be
MailScanner warning: numerical links are often malicious: 192.168.0.0/24
        rightid=@gmail.com
        aggrmode=yes
        auto=add
        ike=3des-sha1
        pfs=yes

I've tried all sorts of combinations, adding other options, getting rid of
almost all of them, but nothing seems to work.  Any tips or pointers to the
right direction would be spectacular.  Thanks in advance!

-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 
MailScanner thanks transtec Computers <http://www.transtec.co.uk/>  for
their support. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060117/6c09c847/attachment-0001.htm


More information about the Users mailing list